When I joined the Mayo Supply Chain team back in 2007, we had a smattering of procurement cards across the organization (probably around 600). In addition, we had just required travel cards be used for travel in most or all circumstances. At that time, however, we didn’t have a robust way to audit for fraud or misuse. Sure, we were randomly sampling our cards, but what were the odds we would happen across fraud, waste, abuse or anything interesting? It was only by happenstance that we found issues. The light bulb came on one day when someone external to our department pointed us to a fairly obvious issue with a card; a scenario we probably should have noticed but did not. It was at that time when Mayo began to discuss a risk-based approach.

In 2009, Mayo Supply Chain formed a cross-functional group, locked ourselves in a room and stepped through every single “what could go wrong” scenario as it related to holding a credit card. How would I abuse the system if I wanted to commit a fraud? What would be the ways I (as an auditor) might be able to find suspect transactions and behavior? Any and all thoughts were accepted at this point, even the most bizarre.

The second step was to take each scenario and match it against all the data we had available to us, including the credit card system, ERP, expense reimbursement system, etc. If we didn’t find a piece of data we needed (and thought someone would have), we asked for it. And often, we found it was available, somewhere.